IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A

| | Comments (5) | TrackBacks (1)

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:
Click to Enlarge

Click the link, and you're taken to the below website:

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:
Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

1 TrackBacks

Listed below are links to blogs that reference this entry: IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A.

TrackBack URL for this entry:

Remember the modular Pipeline Worm the Facetime Security Labs Team uncovered recently? The W32.Pipeline Worm, which hit right before the really strange MSN HeartWorm.a...Thanks to the guys Twisted Pair at Network for the mention of the menace. They als... Read More


you left the URL in the last pic, becareful

The picture of the heart is served up by a site that tackles online hoaxes, and is perfectly safe. That's why we didn't remove the URL.

Memetic engineering? Who remembers the ILoveYou worm in the Spring of 2000? It was a beautifully written piece of VBScript (this non-programmer was able to understand each step in the code), packaged up into a message with the most powerful phrase known to man.

It did a helluva lot of damage in the wild, and it was not a happy time to be in a tech support role during this period and Y2K...

And all this at the beginning of the dot-com-bomb

help,req knowledge for heartworm

OK, I know a lot about this heartworm worm/hoax. But I have an Infected Computer on my network (more than 250 PCs). Luckely I discovered right away and prevented to spread in my company, I removed it from my domain.
I've being surfin the entire we (inglish and spanish sites) looking for a removal tool or actions, and still cant find anything.
So Please if someone knows something please email me.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on September 22, 2006 7:26 AM.

Pipeline Worm Floods AIM with Botnet Drones was the previous entry in this blog.

Twisted Pair at Network World Talk Pipeline Worm is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.